• Home
  • Blog
  • Online Scan
  • Update History
  • usbguard.exe Binary Code Analysis - File Md5: 7fbc290abd474dece7c74c27e157d8fd
    File hash value: 7fbc290abd474dece7c74c27e157d8fd. This is a 32-bit EXE file, and the file size is 991 K. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.

    If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.

    You can also download the repair tool directly to fix your operating system.

    File Binary Code Analysis:

    DOS Stub
    ...
    .text SECTION #1
    .rdata SECTION #2
    .data SECTION #3
    .rsrc SECTION #4
    .yvs SECTION #5
    DOS Header
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • e_magic
  • 0x00005A4D
  • DOS Sign
  • WORD
  • e_cblp
  • 0x00000090
  • Bytes on last page of file
  • WORD
  • e_cp
  • 0x00000003
  • Pages in file
  • WORD
  • e_crlc
  • 0x00000000
  • Relocations
  • WORD
  • e_cparhdr
  • 0x00000004
  • Size of header in paragraphs
  • WORD
  • e_minalloc
  • 0x00000000
  • Minimum extra paragraphs needed
  • WORD
  • e_maxalloc
  • 0x0000FFFF
  • Maximum extra paragraphs needed
  • WORD
  • e_ss
  • 0x00000000
  • Initial (relative) SS value
  • WORD
  • e_sp
  • 0x000000B8
  • Initial SP value
  • WORD
  • e_csum
  • 0x00000000
  • Checksum
  • WORD
  • e_ip
  • 0x00000000
  • Initial IP value
  • WORD
  • e_cs
  • 0x00000000
  • Initial (relative) CS value
  • WORD
  • e_lfarlc
  • 0x00000040
  • File address of relocation table
  • WORD
  • e_ovno
  • 0x00000000
  • Overlay number
  • WORD
  • e_res[4]
  • [0]=0x00002D5C
    [1]=0x0000B9B4
    [2]=0x00000000
    [3]=0x00000000
  • Reserved words
  • WORD
  • e_oemid
  • 0x00000000
  • OEM identifier (for e_oeminfo)
  • WORD
  • e_oeminfo
  • 0x00000000
  • OEM information; e_oemid specific
  • WORD
  • e_res2[10]
  • [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
    [4]=0x00000000
    [5]=0x00000000
    [6]=0x00000000
    [7]=0x00000000
    [8]=0x00000000
    [9]=0x00000000
    [10]=0x00000000
  • Reserved words
  • WORD
  • e_lfanew
  • 0x000000F8
  • PE File Header address
  • NT HEADER - NT File Signature
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • Signature
  • 0x00004550
  • PE File Sign: "PE"
  • NT HEADER - FILE HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Machine
  • 0x0000014C
  • File Bit (32Bit Or 64 Bit)
  • WORD
  • NumberOfSections
  • 0x00000005
  • Number Of Sections
  • DWORD
  • TimeDateStamp
  • 0x48D8B517
  • File Create Time
  • DWORD
  • PointerToSymbolTable
  • 0x00000000
  • Pointer To Symbol Table
  • DWORD
  • NumberOfSymbols
  • 0x00000000
  • Number Of Symbols
  • WORD
  • SizeOfOptionalHeader
  • 0x000000E0
  • Size Of Optional Header
  • WORD
  • Characteristics
  • 0x0000010F
  • File Type: (EXE or DLL)
  • NT HEADER - OPTIONAL HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Magic
  • 0x0000010B
  • Magic
  • BYTE
  • MajorLinkerVersion
  • 0x00000006
  • Major Linker Version
  • BYTE
  • MinorLinkerVersion
  • 0x00000000
  • Minor Linker Version
  • DWORD
  • SizeOfCode
  • 0x0001B000
  • Size Of Code
  • DWORD
  • SizeOfInitializedData
  • 0x000A7000
  • Size Of Initialized Data
  • DWORD
  • SizeOfUninitializedData
  • 0x00000000
  • Size Of Uninitialized Data
  • DWORD
  • AddressOfEntryPoint
  • 0x000F65D8
  • Address Of Entry Point
  • DWORD
  • BaseOfCode
  • 0x00001000
  • Base Of Code
  • DWORD
  • BaseOfData
  • 0x0001C000
  • Base Of Data
  • DWORD
  • ImageBase
  • 0x00400000
  • Image Base
  • DWORD
  • SectionAlignment
  • 0x00001000
  • Section Alignment
  • DWORD
  • FileAlignment
  • 0x00001000
  • File Alignment
  • WORD
  • MajorOperatingSystemVersion
  • 0x00000004
  • Major Operating System Version
  • WORD
  • MinorOperatingSystemVersion
  • 0x00000000
  • Minor Operating System Version
  • WORD
  • MajorImageVersion
  • 0x00000000
  • Major Image Version
  • WORD
  • MinorImageVersion
  • 0x00000000
  • Minor Image Version
  • WORD
  • MajorSubsystemVersion
  • 0x00000004
  • Major Sub system Version
  • WORD
  • MinorSubsystemVersion
  • 0x00000000
  • Minor Sub system Version
  • DWORD
  • Win32VersionValue
  • 0x00000000
  • Win32 Version Value
  • DWORD
  • SizeOfImage
  • 0x000F8000
  • Size Of Image
  • DWORD
  • SizeOfHeaders
  • 0x00001000
  • Size Of Headers
  • DWORD
  • CheckSum
  • 0x00000000
  • Check Sum
  • WORD
  • Subsystem
  • 0x00000002
  • Sub system
  • WORD
  • DllCharacteristics
  • 0x00000000
  • Dll Char acteristics
  • DWORD
  • SizeOfStackReserve
  • 0x00100000
  • Size Of Stack Reserve
  • DWORD
  • SizeOfStackCommit
  • 0x00001000
  • Size Of Stack Commit
  • DWORD
  • SizeOfHeapReserve
  • 0x00100000
  • Size Of Heap Reserve
  • DWORD
  • SizeOfHeapCommit
  • 0x00001000
  • Size Of Heap Commit
  • DWORD
  • LoaderFlags
  • 0x00000000
  • Loader Flags
  • DWORD
  • NumberOfRvaAndSizes
  • 0x00000010
  • Number Of Rva And Sizes
  • NT HEADER - OPTIONAL HEADER - Data Directory
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • DataDirectory[1].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[1].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[2].VirtualAddress
  • 0x000207B8
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[2].Size
  • 0x000000F0
  • Data Directory Size
  • DWORD
  • DataDirectory[3].VirtualAddress
  • 0x00024000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[3].Size
  • 0x0009EBD0
  • Data Directory Size
  • DWORD
  • DataDirectory[4].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[4].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[5].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[5].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[6].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[6].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[7].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[7].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[8].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[8].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[9].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[9].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[10].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[10].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[11].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[11].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[12].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[12].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[13].VirtualAddress
  • 0x0001C000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[13].Size
  • 0x00000794
  • Data Directory Size
  • DWORD
  • DataDirectory[14].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[14].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[15].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[15].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[16].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[16].Size
  • 0x00000000
  • Data Directory Size
  • SECTION #1
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .text
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0001B000
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00001000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x0001B000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00001000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000060
  • Section Characteristics
  • SECTION #2
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rdata
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00005E2E
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x0001C000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00006000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x0001C000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #3
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .data
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00001CD4
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00022000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00002000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00022000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #4
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rsrc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x000A6EC6
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00024000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x000A6EC6
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00024000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000060
  • Section Characteristics
  • SECTION #5
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .yvs
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0002CFD4
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x000CB000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x0002CFD4
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x000CB000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0xFFE0B00C
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x0013FFD1
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000020
  • Section Characteristics

  • Called external files and functions:
    In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
    Import File - WINMM.dll
  • PlaySoundA
  •  
  •  
  •  
  •  
  • Import File - WININET.dll
  • FindCloseUrlCache
  • FindNextUrlCacheEntryA
  • DeleteUrlCacheEntry
  • FindFirstUrlCacheEntryA
  •  
  • Import File - MFC42.DLL
  • Function Address
    0x00000FF3
  • Function Address
    0x00000B2F
  • Function Address
    0x000015E6
  • Function Address
    0x00000B2B
  • Function Address
    0x00000DF3
  • Function Address
    0x00000DF5
  • Function Address
    0x00000E6D
  • Function Address
    0x000016F3
  • Function Address
    0x00001021
  • Function Address
    0x00000ACB
  • Function Address
    0x000010B5
  • Function Address
    0x00001633
  • Function Address
    0x00000A07
  • Function Address
    0x0000169C
  • Function Address
    0x00000A36
  • Function Address
    0x00000B9B
  • Function Address
    0x0000167F
  • Function Address
    0x00001830
  • Function Address
    0x0000167C
  • Function Address
    0x0000182A
  • Function Address
    0x000010EA
  • Function Address
    0x0000182D
  • Function Address
    0x00001785
  • Function Address
    0x0000181C
  • Function Address
    0x000016F1
  • Function Address
    0x0000169D
  • Function Address
    0x000016A2
  • Function Address
    0x0000162E
  • Function Address
    0x00001668
  • Function Address
    0x000015CB
  • Function Address
    0x000015C3
  • Function Address
    0x000017AD
  • Function Address
    0x000016E8
  • Function Address
    0x00000E0C
  • Function Address
    0x00000280
  • Function Address
    0x00001832
  • Function Address
    0x00000668
  • Function Address
    0x00000143
  • Function Address
    0x00000965
  • Function Address
    0x00001699
  • Function Address
    0x00000B30
  • Function Address
    0x00000497
  • Function Address
    0x00000830
  • Function Address
    0x00000968
  • Function Address
    0x000016E4
  • Function Address
    0x00000327
  • Function Address
    0x00000B68
  • Function Address
    0x000007DC
  • Function Address
    0x00000848
  • Function Address
    0x0000022A
  • Function Address
    0x00001043
  • Function Address
    0x0000066C
  • Function Address
    0x0000047A
  • Function Address
    0x000015C4
  • Function Address
    0x00000B67
  • Function Address
    0x000003AB
  • Function Address
    0x000003AC
  • Function Address
    0x000003AD
  • Function Address
    0x0000169B
  • Function Address
    0x00001025
  • Function Address
    0x000010C9
  • Function Address
    0x00000655
  • Function Address
    0x00000219
  • Function Address
    0x00000ACC
  • Function Address
    0x0000106A
  • Function Address
    0x000016E0
  • Function Address
    0x00000218
  • Function Address
    0x00000994
  • Function Address
    0x00000AC1
  • Function Address
    0x000004AB
  • Function Address
    0x000001D8
  • Function Address
    0x00000C09
  • Function Address
    0x00001540
  • Function Address
    0x000018EF
  • Function Address
    0x0000154A
  • Function Address
    0x000018FA
  • Function Address
    0x00000A0F
  • Function Address
    0x0000112C
  • Function Address
    0x00000DF6
  • Function Address
    0x00000329
  • Function Address
    0x00000261
  • Function Address
    0x0000022C
  • Function Address
    0x000010B3
  • Function Address
    0x000010BC
  • Function Address
    0x0000094B
  • Function Address
    0x000013BD
  • Function Address
    0x000012A6
  • Function Address
    0x0000175D
  • Function Address
    0x000017FE
  • Function Address
    0x00000F22
  • Function Address
    0x0000011B
  • Function Address
    0x00000265
  • Function Address
    0x00001AE0
  • Function Address
    0x00000121
  • Function Address
    0x0000084A
  • Function Address
    0x000018D6
  • Function Address
    0x00000440
  • Function Address
    0x00000B2C
  • Function Address
    0x00000ED5
  • Function Address
    0x00000AC2
  • Function Address
    0x00001835
  • Function Address
    0x000019CD
  • Function Address
    0x00000B63
  • Function Address
    0x0000039E
  • Function Address
    0x00000B02
  • Function Address
    0x00000DEF
  • Function Address
    0x0000025A
  • Function Address
    0x00001935
  • Function Address
    0x00000322
  • Function Address
    0x0000029C
  • Function Address
    0x000007BC
  • Function Address
    0x000015F6
  • Function Address
    0x000019A7
  • Function Address
    0x00000FDA
  • Function Address
    0x00000C6D
  • Function Address
    0x00000ADD
  • Function Address
    0x00000AD2
  • Function Address
    0x00000164
  • Function Address
    0x0000021E
  • Function Address
    0x00000E1A
  • Function Address
    0x00000290
  • Function Address
    0x000002F3
  • Function Address
    0x000001D6
  • Function Address
    0x00001118
  • Function Address
    0x000012F5
  • Function Address
    0x00000490
  • Function Address
    0x000018BE
  • Function Address
    0x00001241
  • Function Address
    0x000010B2
  • Function Address
    0x000018E7
  • Function Address
    0x00001186
  • Function Address
    0x000009FA
  • Function Address
    0x000009D0
  • Function Address
    0x00001663
  • Function Address
    0x00000628
  • Function Address
    0x00000441
  • Function Address
    0x0000144F
  • Function Address
    0x0000095C
  • Function Address
    0x00000D12
  • Function Address
    0x000014B4
  • Function Address
    0x000014B6
  • Function Address
    0x00000FEF
  • Function Address
    0x0000125A
  • Function Address
    0x000014BB
  • Function Address
    0x000014A9
  • Function Address
    0x00001652
  • Function Address
    0x0000120E
  • Function Address
    0x00000E9A
  • Function Address
    0x0000032F
  • Function Address
    0x00000231
  • Function Address
    0x000004DF
  • Function Address
    0x00000826
  • Function Address
    0x00000A3D
  • Function Address
    0x0000046E
  • Function Address
    0x00000AA5
  • Function Address
    0x000006E8
  • Function Address
    0x000010CB
  • Function Address
    0x000018EB
  • Function Address
    0x00000BA9
  • Function Address
    0x00000CBE
  • Function Address
    0x00000C40
  • Function Address
    0x00001171
  • Function Address
    0x00000CBB
  • Function Address
    0x00000C4B
  • Function Address
    0x00000BA6
  • Function Address
    0x0000149D
  • Function Address
    0x0000084C
  • Function Address
    0x0000098E
  • Function Address
    0x0000148D
  • Function Address
    0x000006BF
  • Function Address
    0x000013C9
  • Function Address
    0x00000EA5
  • Function Address
    0x000018E8
  • Function Address
    0x00000807
  • Function Address
    0x00000A58
  • Function Address
    0x00001159
  • Function Address
    0x000012E5
  • Function Address
    0x00000ED6
  • Function Address
    0x000014A0
  • Function Address
    0x00001101
  • Function Address
    0x000018E6
  • Function Address
    0x0000142B
  • Function Address
    0x00000951
  • Function Address
    0x00001479
  • Function Address
    0x00001137
  • Function Address
    0x000006EF
  • Function Address
    0x00000FEE
  • Function Address
    0x000017A4
  • Function Address
    0x000009D2
  • Function Address
    0x00000337
  • Function Address
    0x00000986
  • Function Address
    0x00000E46
  • Function Address
    0x00000A18
  • Function Address
    0x0000107C
  • Function Address
    0x00000746
  • Function Address
    0x000001F4
  • Function Address
    0x00000E75
  • Function Address
    0x00000304
  • Function Address
    0x00000626
  • Function Address
    0x0000035C
  • Function Address
    0x00000217
  • Function Address
    0x0000044B
  • Function Address
    0x000002AE
  • Function Address
    0x00000180
  • Function Address
    0x00001847
  • Function Address
    0x00000CE5
  • Function Address
    0x0000039A
  • Function Address
    0x0000039C
  • Function Address
    0x0000035A
  • Function Address
    0x000004B0
  • Function Address
    0x00000F9E
  • Function Address
    0x00001AFB
  • Function Address
    0x00000C14
  • Function Address
    0x00001837
  • Function Address
    0x00001266
  • Function Address
    0x0000021C
  • Function Address
    0x00001040
  • Function Address
    0x00000669
  • Function Address
    0x00000F9C
  • Function Address
    0x00001861
  • Function Address
    0x00000451
  • Function Address
    0x00000A52
  • Function Address
    0x00000320
  • Function Address
    0x0000108A
  • Function Address
    0x000008FE
  • Function Address
    0x000002B5
  • Function Address
    0x0000096E
  • Function Address
    0x00000E2A
  • Function Address
    0x00000E4F
  • Function Address
    0x00000339
  • Function Address
    0x00000144
  • Function Address
    0x00000237
  • Function Address
    0x00000281
  • Function Address
    0x0000031B
  • Function Address
    0x00000E0D
  • Function Address
    0x00001149
  • Function Address
    0x00001213
  • Function Address
    0x00000FF0
  • Function Address
    0x00000C07
  • Function Address
    0x00000EF1
  • Function Address
    0x00000EF7
  • Function Address
    0x00000EF6
  • Function Address
    0x0000187E
  • Function Address
    0x00000BA0
  • Function Address
    0x00001386
  • Function Address
    0x00001491
  • Function Address
    0x00000E38
  • Function Address
    0x00001148
  • Function Address
    0x00000D2A
  • Function Address
    0x000014AA
  • Function Address
    0x00001132
  • Function Address
    0x000006F0
  • Function Address
    0x000017A7
  • Function Address
    0x00000A16
  • Function Address
    0x00000E23
  • Function Address
    0x00000E89
  • Function Address
    0x00000D4A
  • Function Address
    0x00000F52
  •  
  •  
  • Import File - MSVCRT.dll
  • _setmbcp
  • sprintf
  • free
  • malloc
  • wcscpy
  • wcslen
  • _ftol
  • memmove
  • _mbscmp
  • _mbsnbcpy
  • _mbsstr
  • printf
  • atoi
  • __dllonexit
  • _onexit
  • _exit
  • _XcptFilter
  • exit
  • _acmdln
  • __getmainargs
  • _initterm
  • __setusermatherr
  • _adjust_fdiv
  • __p__commode
  • __p__fmode
  • __set_app_type
  • _except_handler3
  • _controlfp
  • __CxxFrameHandler
  •  
  • Import File - KERNEL32.dll
  • LoadLibraryA
  • GetProcAddress
  • GetPrivateProfileStringA
  • CreateSemaphoreA
  • GetModuleHandleA
  • GetProcAddress
  • GetCurrentThreadId
  • CreateProcessA
  • WritePrivateProfileStringA
  • ReadFile
  • SetFilePointer
  • GetCurrentProcess
  • GetTempPathA
  • GetLastError
  • Module32First
  • Module32Next
  • RemoveDirectoryA
  • CreateDirectoryA
  • WriteFile
  • CreateFileA
  • GetLogicalDrives
  • GetDriveTypeA
  • DeviceIoControl
  • GetModuleFileNameA
  • lstrcatA
  • WinExec
  • lstrcpyA
  • LoadLibraryA
  • FreeLibrary
  • DeleteFileA
  • FindFirstFileA
  • FindNextFileA
  • FindClose
  • lstrcmpiA
  • FindResourceA
  • LoadResource
  • LockResource
  • GetCPInfo
  • lstrlenW
  • lstrlenA
  • GetVersion
  • GetVersionExA
  • GetWindowsDirectoryA
  • SearchPathA
  • Sleep
  • OpenProcess
  • TerminateProcess
  • SetFileAttributesA
  • CreateToolhelp32Snapshot
  • Process32First
  • GetFileAttributesA
  • Process32Next
  • CloseHandle
  • GetStartupInfoA
  •  
  • Import File - USER32.dll
  • LoadImageA
  • KillTimer
  • SetWindowLongA
  • MessageBeep
  • SetTimer
  • PtInRect
  • ScreenToClient
  • GetMessagePos
  • IsWindow
  • CopyIcon
  • LoadCursorA
  • FindWindowA
  • LoadIconA
  • wsprintfA
  • ExitWindowsEx
  • GetLastActivePopup
  • ShowWindow
  • GetPropA
  • GetWindow
  • DrawIcon
  • OffsetRect
  • SetPropA
  • RemovePropA
  • GetCursorPos
  • SetMenuDefaultItem
  • LoadMenuA
  • GetDC
  • DrawTextA
  • ReleaseDC
  • DrawIconEx
  • DestroyIcon
  • SystemParametersInfoA
  • GetSysColor
  • CopyRect
  • GetIconInfo
  • DrawEdge
  • SetRect
  • GetMenuItemInfoA
  • EnableWindow
  • SetForegroundWindow
  • SendMessageA
  • DrawFocusRect
  • GetWindowRect
  • PostMessageA
  • ClientToScreen
  • WindowFromPoint
  • GetActiveWindow
  • InvalidateRect
  • SetCursor
  • GetParent
  • GetNextDlgTabItem
  • IsMenu
  • GetWindowLongA
  • DestroyCursor
  • GrayStringA
  • TabbedTextOutA
  • GetSubMenu
  • LoadBitmapA
  • GetSysColorBrush
  • GetMenuStringA
  • CreateMenu
  • CreatePopupMenu
  • GetMenuItemID
  • GetMenuState
  • ModifyMenuA
  • GetMenuItemCount
  • AppendMenuA
  • CreateIconIndirect
  • DrawStateA
  • GetClientRect
  • FrameRect
  • FillRect
  • InflateRect
  • GetSystemMetrics
  • IsIconic
  • GetDesktopWindow
  •  
  •  
  •  
  •  
  • Import File - GDI32.dll
  • CreateDIBSection
  • SetPixel
  • GetPixel
  • GetObjectA
  • PatBlt
  • SelectObject
  • RectVisible
  • TextOutA
  • ExtTextOutA
  • Escape
  • GetStockObject
  • SetTextColor
  • SetBkColor
  • CreateBitmap
  • BitBlt
  • DeleteObject
  • DeleteDC
  • Ellipse
  • GetTextExtentPoint32A
  • GetTextExtentPoint32W
  • CreateCompatibleBitmap
  • CreateCompatibleDC
  • CreateFontIndirectA
  • CreateSolidBrush
  • CreatePen
  • GetBkMode
  • PtVisible
  • CreateFontA
  • GetDeviceCaps
  •  
  • Import File - ADVAPI32.dll
  • OpenProcessToken
  • RegEnumValueA
  • RegOpenKeyExA
  • RegDeleteValueA
  • RegQueryValueExA
  • RegQueryValueA
  • RegSetValueExA
  • RegCreateKeyExA
  • RegCloseKey
  • LookupPrivilegeValueA
  • AdjustTokenPrivileges
  •  
  •  
  •  
  •  
  • Import File - SHELL32.dll
  • SHGetSpecialFolderPathA
  • Shell_NotifyIconA
  • ShellExecuteA
  • ShellExecuteExA
  • SHEmptyRecycleBinA
  •  
  •  
  •  
  •  
  •  
  • Import File - COMCTL32.dll
  • ImageList_AddMasked
  • ImageList_ReplaceIcon
  • _TrackMouseEvent
  • ImageList_GetImageCount
  • ImageList_GetIcon
  • ImageList_Draw
  •  
  •  
  •  
  •  
  • Import File - VERSION.dll
  • GetFileVersionInfoA
  •  
  •  
  •  
  •  

  • This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.

    • You can also use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)


  • T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    dwm.exe - File Md5: 70109fc033a13f50121dea603b766ff4
    taskhost.exe - File Md5: 0f99ed6b0e8c15cd2e71d6e76e9f30b6
    edict.exe - File Md5: c175dd39dc1a8ed26a76642d395fc3e8
    explorer.exe - File Md5: a5f578c9967c39089950450285d452d2
    sidebar.exe - File Md5: 97c5244017afde18babace57a5d31e76
    checkallfiles.exe - File Md5: 3cfa129b7b00e016aa03517bfb841788
    authentication.dll - File Md5: 129ae7e74796086e208e723e1d4627a0
    uninstalldriver32.exe - File Md5: 9d11c789db98062a1b73fcf705e07bab
    flashtoollib.v1.dll - File Md5: 56e072b348968659fcf04b8498c66274
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment   Reply To: 
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    User Reply & Help
    »[May 02, 2019]Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
    Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
    »[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
    Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
    »[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
    Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
    »[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
    Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
    »[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
    Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability  …View >>>
    »[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
    Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
    Copyright © 2016-2019 mygoodtools.com All rights reserved.